You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/12/16 01:20:14 UTC
incubator-ranger git commit: RANGER-1255: updated policy engine
initialization to handle invalid values in the downloaded policies JSON
Repository: incubator-ranger
Updated Branches:
refs/heads/master 18e248a4c -> 5e7b555cd
RANGER-1255: updated policy engine initialization to handle invalid values in the downloaded policies JSON
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5e7b555c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5e7b555c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5e7b555c
Branch: refs/heads/master
Commit: 5e7b555cd44e48f76c4b9939a3504459b9ab9523
Parents: 18e248a
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Dec 13 17:47:44 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Dec 15 16:46:28 2016 -0800
----------------------------------------------------------------------
.../policyengine/RangerPolicyRepository.java | 34 ++++++++++++++++++++
.../ranger/plugin/service/RangerBasePlugin.java | 2 +-
.../ranger/biz/RangerPolicyRetriever.java | 10 ++++--
3 files changed, 43 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5e7b555c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index b08d4c5..45bb278 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -681,12 +681,46 @@ class RangerPolicyRepository {
}
}
+ scrubPolicyItems(policyId, policy.getPolicyItems());
+ scrubPolicyItems(policyId, policy.getAllowExceptions());
+ scrubPolicyItems(policyId, policy.getDenyPolicyItems());
+ scrubPolicyItems(policyId, policy.getDenyExceptions());
+ scrubPolicyItems(policyId, policy.getRowFilterPolicyItems());
+ scrubPolicyItems(policyId, policy.getDataMaskPolicyItems());
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.scrubPolicy(" + policy + "): " + altered);
}
return altered;
}
+ private void scrubPolicyItems(final Long policyId, final List<? extends RangerPolicy.RangerPolicyItem> policyItems) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyRepository.scrubPolicyItems(" + policyId + "): ");
+ }
+
+ for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
+ removeNulls(policyItem.getUsers(), policyId, policyItem);
+ removeNulls(policyItem.getGroups(), policyId, policyItem);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyRepository.scrubPolicyItems(" + policyId + "): ");
+ }
+ }
+
+ private void removeNulls(Collection<String> strings, final Long policyId, final RangerPolicy.RangerPolicyItem policyItem) {
+ Iterator<String> iterator = strings.iterator();
+
+ while (iterator.hasNext()) {
+ String value = iterator.next();
+ if (value == null) {
+ LOG.warn("RangerPolicyRepository.removeNulls: found null user/group in policyItem '" + policyItem + "' in policy " + policyId + "! Removing...");
+ iterator.remove();
+ }
+ }
+ }
+
void reorderPolicyEvaluators() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> reorderEvaluators()");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5e7b555c/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 326d650..c34aa19 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -184,7 +184,7 @@ public class RangerBasePlugin {
LOG.error("preCleanup() failed on the previous policy engine instance !!");
}
} catch (Exception e) {
- LOG.error("setPolicies: policy engine initialization failed! Leaving current policy engine as-is.");
+ LOG.error("setPolicies: policy engine initialization failed! Leaving current policy engine as-is. Exception : ", e);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5e7b555c/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
index 5258a74..1b6f440 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
@@ -637,7 +637,10 @@ public class RangerPolicyRetriever {
XXPolicyItemUserPerm xUserPerm = iterUserPerms.next();
if(xUserPerm.getPolicyitemid().equals(xPolicyItem.getId())) {
- policyItem.getUsers().add(lookupCache.getUserName(xUserPerm.getUserid()));
+ String userName = lookupCache.getUserName(xUserPerm.getUserid());
+ if (userName != null) {
+ policyItem.getUsers().add(userName);
+ }
} else {
if(iterUserPerms.hasPrevious()) {
iterUserPerms.previous();
@@ -650,7 +653,10 @@ public class RangerPolicyRetriever {
XXPolicyItemGroupPerm xGroupPerm = iterGroupPerms.next();
if(xGroupPerm.getPolicyitemid().equals(xPolicyItem.getId())) {
- policyItem.getGroups().add(lookupCache.getGroupName(xGroupPerm.getGroupid()));
+ String groupName = lookupCache.getGroupName(xGroupPerm.getGroupid());
+ if (groupName != null) {
+ policyItem.getGroups().add(groupName);
+ }
} else {
if(iterGroupPerms.hasPrevious()) {
iterGroupPerms.previous();